Data Breach Protection Claims and Compensation

Our personal data is valuable, however too often organisations are misusing, losing or negligently allowing cybercriminals access to this information, the results of which can be devastating for anyone. 

If you can prove that you are the victim of a personal data breach that has led to financial damages or distress beyond a mild convenience, you should be able to claim compensation.

If you’ve discovered that you have been the victim of a personal data breach, or you have found that your information has been misused in a manner that breaches the Data Protection Act 2018 then you may be due compensation.

We help victims of data breaches claim against organisations who have failed to protect their personal data. Our team can advise you if you have a valid claim and then guide you through the rest of the process. 

We can determine if you have a valid data protection breach claim and guide you through the claims process. Get in touch today with details of your breach.

Get in touch with us today if you’d like to make a claim. 

Get In Touch

What is a data breach?

A data breach is an incident that leads to personal data being destroyed, lost, corrupted or disclosed. This includes someone passing on personal data without authorisation, someone accessing the data who shouldn’t, or the unavailability of personal data having a negative effect on an individual.

What is personal data?

Personal data is information which can be used to directly identify the relating persons. Personal data can also be information that can be used to indirectly identify a person, when used in combination with other information.

If an individual is identifiable from the information, then this may be personal data. Importantly, information must relate to an individual, in order for it to be considered personal data.

For example, although a name is a common means of identifying someone, a name alone, such as Jane Smith may not be sufficient to identify a specific person. However, a name in conjunction with a phone number and address relating to this name would make it constitute personal data.

How do I know if I’ve suffered from a data breach?

You might not always be made aware that you’ve suffered a data breach straight away, although organisations are bound by law to inform you as soon as possible, in some cases they might not be aware that the breach has taken place at all.

Here are some ways that you might be informed of a data breach:

  • You may be notified of a breach by an organisation by email, letter or phone call. An organisation may inform you that your personal data that is stored with them has been breached.
  • You could be copied into an email that contains personal information of yours. You may receive an email from an organisation containing your personal information and notice that other people have been copied in.
  • Your information may have been unintentionally shared via legal documentation. Your contact details may have been inadvertently shared with others in the course of a legal battle. This could lead to your information being shared with those who you are opposed against.
  • You may receive notice that a loan has been taken out in your name, or money has left your account. You could receive notification from a bank or credit organisation that your personal information has been used without your knowledge.
  • You may be contacted by a person you are trying to avoid who has been given personal data pertaining to you. An organisation may have intentionally or accidentally disclosed your contact details to persons who wish to harm you, such as an abusive partner or biological parent of a foster child.

Read more data protection breach examples to see if any of these are similar to your own case.

How to check a data breach

If you’ve been notified of a data breach in the case of the above examples, or if you believe that your personal data has been breached in another way, then we may be able to help you claim compensation.

Our team of friendly legal experts can advise you as to whether or not you’ve been the victim of a data breach. They can then guide you through the claims process, we’ll make sure to leave the legal jargon out of it and keep you updated with every step through your claim.

Unfortunately, not all data breaches can provide the grounds for a valid compensation claim. We’ll be able to let you know if you’re able to make a claim, if your claim isn’t valid then we’ll be able to point you in the direction of guidance elsewhere.

If we believe your case meets the requirements of a successful data breach compensation claim then we’ll explain your options and may take your case on a no win, no fee basis.

We’ll assess your data breach case free of charge. Use the contact form to let us know the details of your case and we’ll get back to you with an answer as soon as possible.

Who can make a data protection breach compensation claim?

According to the GDPR, anyone living within the EU can make a claim after a data protection breach has caused them to suffer ‘material or non-material damage’. Individuals and organisations alike can claim compensation for data protection breaches.

In order to make a successful claim, it must be proved that the claimant has suffered as a result of the breach. The success of a claim and the amount of compensation that will be awarded will depend on the severity of the damage caused to the claimant.

What can you claim data breach compensation for?

The GDPR makes allowances for data protection breach claims to be made as a result of both material and non-material damages. Compensation can be made as a result of direct financial loss, as well as non-material distress.

Examples of data breaches can vary wildly, the most straight forward data breach compensation claim can be made when a data breach has directly led to an individual losing money. Claims can also be made for lost earnings, such as in the case where a claimant is terminated from a role as the result of a data protection breach.

In 2014 a precedent was set in UK law that a claim for compensation as a result of data breach could be made even if the claimants had not suffered any financial loss. The case of Juith Vidal-Hall (2) Robert Hann (3) Marc Bradshaw V Google involved a group of individuals suffering distress after learning that their ‘personal characteristics’ informed Google’s advertisements that were shown to them on their mobile devices, even after they had set their privacy settings to block third party cookies.

Claimants suffering from distress, anxiety or worry as a result of a data protection breach can claim for compensation to pay for any private treatment that they might require, such as counselling. It’s also possible to claim if the breach has caused a recognised psychological condition, or had a general effect on the claimant’s domestic or social life.

The amount of compensation that you can claim for a data breach depends on a number of factors including the sensitivity of the information, the length of time between the organisation finding out about the breach and informing you, your financial losses and any distress that has been caused as a result.

Find out more about data breach compensation amounts.

Reporting a data breach

Organisations are required to report all data breaches to the Information Commissioner’s Office (ICO). This public body upholds information rights in the public interest and fine organisations that violate data protection laws. The ICO took 28 enforcement actions against organisations in 2019 – these include telecoms provider EE and Her Majesty’s Revenue & Customs.

If you think you’ve been effected by a data breach

We can offer advice and guidance on your next steps.

Get In Touch

When should an organisation report a data breach?

According to the ICO, an organisation should report a notifiable data breach without delay and no later than 72 hours after becoming aware of it. However, the organisation does not always have to inform the individuals that are affected by the breach.

In cases where the breach of personal data only leads to a mild inconvenience on the individuals affected, organisations can avoid informing them altogether. Organisations must perform a risk assessment after discovering a personal data breach which should direct their actions. The ICO can, however, force them to inform individuals, if they deem the data breach to pose a serious risk.

Organisations who delay reporting a data breach could put an individual into even further risk of damage, this could then be used as the basis of a data breach claim.

What are the consequences of a data breach?

The consequences of a personal data breach can be far-reaching and potentially life-altering. Our team has fielded hundreds of data breach enquiries and understand how much they can affect a person’s life.

Financial – A data breach can have a devastating effect on your finances, regardless of how secure you may be. Many data breaches involving financial information don’t result in an immediate loss, however, as the data may be stored and sold at a later date.

Personal – In some cases, a personal data breach could lead to major life changes. A breach may force a person to move house, lose their job or be separated from their family. These have their own set of consequences that go beyond financial damages.

Psychological – Perhaps most importantly, a data breach can cause intense stress and psychological trauma to an individual, especially in cases involving abusive relationships and family disputes. These damages can not be understated and should be compensated accordingly.

How much can you claim for a data breach?

The amount of compensation you can claim for a data breach will depend on the circumstances. For example, in cases where your name has been breached in conjunction with financial details, you could reasonably claim up to £5,000. You may be able to claim more for a data breach if you can prove that breach has more than just damaged your finances. If the consequences of a data breach have negatively affected a pre-existing illness then you may be able to claim more compensation as a result.


Data Breach Help is run by the accredited Cobleys Solicitors Ltd, one of the largest specialist litigation practices on Merseyside. Recommended by The Times as one of the Top 200 Law Firms in the UK, Cobleys Solicitors Ltd runs Data Breach Help with its industry-leading experts and premium resources.


How long do you have to make a claim for a data breach?

You have 6 years from the date of the breach to claim to provide evidence that you have suffered damages or stress related to it.

What constitutes a breach of data protection?

A breach of data protection is more than just the loss of information. It is a breach of security which has led to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. The cause for the breach can be accidental or deliberate.

How long does an organisation have to report a data breach?

An organisation should report a data breach to the ICO within 72 hours of discovery. They should inform any individual affected by the data breach as soon as possible, if the breach has posed them at risk of damage.

When must data breaches involving personal data be reported?

All personal data breaches that carry a risk to people’s rights or freedoms must be reported to the ICO. This means that organisations do not have to report all data breach involving personal data to the ICO or the individuals affected.

Is ransomware a data breach?

A successful ransomware attack which renders personal data inaccessible could be viewed as a data breach by the ICO. Data controllers are legally bound to take appropriate measures to ensure that personal data is secure, failure to do so finds them in breach of the Data Protection Act.

Can I claim compensation for a data breach?

Under the GDPR, you have a right to claim compensation from an organisation if you have suffered damage as a result of a personal data breach. This includes both “material damage” (e.g. you have lost money) or “non-material damage” (e.g. you have suffered distress).

You’ll only be able to do so, however, if the damages are significant enough to warrant a claim. Whether or not you can claim compensation for a data breach will depend on the type of breach, if it has affected you financially and if you have suffered distress from it. For example, you would not have a valid claim if a personal data breach resulted in a minor inconvenience to you.

It’s only feasible for solicitors to take on data breach compensation claims when the claimant’s case meets these criteria. If the claimant is only mildly inconvenienced by the breach and does not suffer financially, then a successful claim would not result in enough compensation to cover the legal costs. 

How common are data breaches?

Data breaches are more common than ever. Over 7000 data breaches were recorded in 2019 ( ) with over 15 billion records being recorded as lost. Whilst every breach might not be publicised in the news, thousands occur every year, affecting people from all walks of life.

What causes data breaches?

Common causes of tech data breaches are weak passwords, vulnerabilities in applications and malware. Hundreds of data breaches occur each year through insider error. Emails are sent to entire databases with sensitive information and records are lost through negligence. Data breaches are usually caused by people accidentally, as opposed to cybercriminals intentionally.

What law relates to Data Protection Breach compensation?

Article 82 of the GDPR relates to the right to compensation as a result of a data protection breach. It states that: ‘Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.’

The Data Protection Act 1998 was replaced by the General Data Protection Regulations and the Data Protection Act 2018 in May 2018. The introduction of these regulations and laws lead to a rush of emails being sent out from all manner of organisations. Many complained about this influx of legal babble in their inbox, but this dump of information led to the general public becoming more aware of their rights in relation to their data protection rights.

Can you receive data breach compensation from the Information Commissioner’s Office (ICO)?

The Information Commissioner’s Office (ICO) does not reward individuals or organisations with data breach compensation. The ICO is the UK’s independent authority governing information rights in the public’s interest, whilst they do not award compensation, they can fine organisations failing to meet their standards.

They serve an important role in the data protection sphere through the information that they publish on their website and their power to fine organisations who do not meet the standards set by the GDPR and Data Protection Act 2018.

Whilst the ICO does not have the power to award compensation to those suffering from a data protection breach, they do have the investigative authority to assess an organisation who has been reported as being guilty of a breach. Should the ICO support your assertion that an organisation has breached the GDPR or DPA 2018, then you will be in a better position to make a compensation claim against that organisation. However, it is not necessary for you to contact the ICO before making a data breach compensation claim.

If you feel you are entitled to GDPR data breach compensation, then get in touch with us today to find out just how much you could claim.